Tally of Major Breaches Ever-Changing

Those using the federal list of major health information breaches to keep score of how many individuals have been affected must keep in mind that the list is revised as investigations continue.

For example, as of Jan. 21, the total number of individuals affected by breaches, according to the list, stood at just over 6 million, down from 6.3 million a month earlier. The reason? The tally for one incident was slashed dramatically after an investigation.

In addition, a spokesman for the Department of Health and Human Services' Office for Civil Rights says that it's possible another incident in Puerto Rico that apparently affected about 400,000 may be double-counted on the office's health information breach list. That could lead to another adjustment in the running-total in the weeks ahead.

Breach Incident Investigation

As reported earlier at HealthcareInfoSecurity.com, a health information breach incident involving Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan initially was estimated to have potentially affected more than 280,000 individuals. But now, the OCR tally indicates 808 were affected by the incident, which involved the loss of an unencrypted flash drive.

"The covered entity's forensic analysis of this incident concluded that that number originally reported was incorrect, and that, in fact, only 808 individuals were at risk as a result of this incident," the OCR spokesman says.

Meanwhile, OCR is continuing to investigate whether the Puerto Rico breach incident is double-counted in its tally. A covered entity, the Puerto Rico Department of Health, and its business associate, Triple-S Salud Inc., apparently submitted three different reports for that one incident, the OCR spokesman says.

For now, the OCR breach list, by including all three reports, reflects a total of 806,000 individuals affected. "Eventually we may count these three for just a total of 400,000," the spokesman says. "It's complicated as these reports are in Spanish and our investigators have been working to understand the business associate relationships and what transpired."

As reported earlier, Triple-S Management Corp., a holding company that runs Blue Cross and Blue Shield plans and serves as a government contractor, said in a recent 10-Q securities filing that a competitor informed it that "certain of our competitor's employees" accessed a database without permission Sept. 9-15, 2010, in a breach incident affecting 400,000. Triple-S Management is the parent company of Triple-S Salud.

225 Breach Incidents

As of Jan. 21, the federal tally of health information breaches affecting 500 or more individuals lists a total of 225 incidents. Twelve new cases affecting about 28,000 have been reported since Dec. 22. Roughly 22 percent of all incidents on the list involve business associates, and about 57 percent involve the theft or loss of computer devices.

Under the interim final version of the breach notification rule, breaches affecting 500 or more must be reported to OCR within 60 days. A final version of the HITECH breach notification rule, which could further clarify exactly what types of incidents need to be reported, is expected to be revealed early this year. The interim version contains a controversial "harm standard," which allows organizations to conduct a risk assessment to determine if an incident represents a significant risk of harm and, thus, must be reported.

Attorney Kathy Roe predicts that the final HITECH breach notification rule likely will not eliminate the controversial harm standard, but instead will refine the standard to better define how to determine whether a breach represents a significant risk of harm and merits reporting (See: HIPAA Enforcement: A 2011 Priority?).

About the Author

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;